For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!

Saturday, March 12, 2016

When I was young, my great grandmother used to have a saying "self praise stinks", and for that reason I never authored my own military medal recommendations, and for years struggled with writing my own inputs for my annual fitness reports. But this week my team had a nice success, and I thought I'd share the story.

Earlier in the week one of our 'tripwires' fired off suggesting that one of our Red Sky members might be the target of in impending attack. After checking the facts, it turned out that we were right.

We authored a situation report and a warning, called the member, and fired off the written warning --complete with names of actors believed involved, tools expected to be used, the expected target, and the time of the attack. I authored the initial report, and sadly, the old man mistakenly offset for the wrong timezone and called the attack time for 12 hours earlier than it really was. We corrected the timezone, informed the member, and when the time came, stood by them in an online bridge throughout the process.

For over two hours on the bridge, we assisted with the online cyber ruckus, eventually pointing the member to exact file that we believed would be exploited. Once the file was deleted from the host, the attack stopped.

Shortly after, we pulled the team together and authored the after action. I realize that many companies fight these fights on a regular basis, but in this case, my guys aren't incident responders, they're intelligence pros, and in this case, they called it dead on... and for that, I'd like to take a moment and offer my team a very strongly worded BRAVO ZULU. Nice job!

BT

On nearly every sales call lately, someone says to me, "Why do I need another feed?"

My answer? A feed tells you about everything. Intelligence tells you about you. I've used this analogy may times --If I walk into a bar and end up in a bar fight, I'll hit the guy standing in front of me first, then deal with his friends, and probably won't worry to much about all of the fights in all of the other bars around the world --at least not tonight. Feeds tell you about the bar fights happening around the world, but not how to deal with the guy standing in front of you. We run an indicator database that you can use inexpensively --ThreatRecon.co starts at free, then increases slightly based on volume. Cyberwatch(R), our newest offering is also free --it creates a Cyber Threat Index(R) based on the number of times that we see you in our intelligence sources and plots the score daily --against your stock price. Again, no cost to log in and look --only to buy intelligence behind the graphics.

We send cyber early warning reports several times every day. I've written in previous posts about some of our 'get to the left of kill chain' processes. We have small successes every day, but this week we had a good one. And to have my guys sit on the bridge while a member was able to successfully defend themselves --at least this time. And we're happy to have been part of putting this one 'X' in the win column.